What are First-Party and Third-Party cookies and how do they affect your website’s GDPR/CCPA compliance?
A cookie is a small piece of code that your website places on a user’s device when that visitor views your site.
Cookies allow the site to recognize users and their specific browser once they return to the same site. Cookies keep track of user movements within the site, remember their registered login and preferences and customize their experience on the site. Most importantly, cookies are the technology that allows advertisers to tailor their marketing messages to potential customers. In fact, a 2020 study by Cornell University found that 99% of cookies are used to track users or to provide targeted advertisement.
A 1stparty cookie refers to a cookie created by the website that a user is visiting. For example, if I have visited Amazon and it wants to create a cookie which will store my preferences while visiting that site, that will be a 1st party cookie.
Alternatively, 3rd party cookie is a cookie that’s created (usually by an advertising network) to store information for a domain which is not the principal domain name (the website in the address bar) that you’re currently visiting. These sites own some of the content, like ads or images, that you see on the webpage you visit.
Let’s say a user is on a website, a.com. It’s an eCommerce business. The user puts something in their shopping cart. When the user comes back later, the site remembers them, and keeps their same items in the shopping cart. That’s the result of a 1st party cookie doing its job. The cookie was set by the same domain the user is on (a.com).
On the other hand, let’s say a user is on a.com, and the page they’re on contains an iframe from a different website (b.com). Cookies set by b.com accessed from an a.com page are 3rd party cookies. Accessing them from a.com is a cross-site request, this allows the site to track the user across multiple websites, and serve them ads wherever they go online.
Glad you asked! In early 2020, Google announced a new version of Chrome that would stop sending 3rd party cookies in cross-site requests unless they’re secured and flagged using an IETF standard called SameSite. Apple, at their developer conference in June 2019, announced a new version of Intelligent Prevention Tracking: the system that limits ad functionality on its native browser, Safari. The new version cracks down on 1st party cookies.
Not necessarily. With this update, those cross-site requests sent by 3rd party cookies need a special type of security stamp called SameSite.Essentially, with this Chrome update, developers need to label third-party cookies in a certain explicit way. If they don’t, the cookies may not work inChrome. In short, this makes it harder for the “bad guys” to use cookies for nefarious purposes (e.g. stealing data and hacking websites).
These announcements are the next step in the constantly evolving data privacy landscape. From one perspective, as cookies become more limited, websites become less able to deliver personalized experiences to their visitors and customers. On the flip side, limiting cookies increases the safety of the internet and protects individuals’ privacy.
Google and Apple think your customers value privacy, so they’re making moves to protect it. Without a consent management technology on your website, your chances of protecting end-user privacy are very small, practically zero. To comply with the regulations governing cookies under the GDPR and CCPA you must:
Failure to properly account for the cookies your website collects can result in huge financial penalties!
If you want to learn how to check what cookies are running on any website, use any online search engine and follow the steps outlined.
Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:
You can convince yourself and see Clym in action by booking a demo or reaching out to us to discuss your specific needs today.